PRIVACY POLICY

Marsh, part of the Marsh & McLennan Companies, Inc. (MMC) group, strives to protect the privacy and the confidentiality of Personal Data that the company processes in connection with the services it provides to clients. Marsh’s services consist primarily of risk consulting and insurance intermediation, which facilitate the consideration of, access to, administration of, and making of claims in respect of, insurance services.

Insurance is the pooling and sharing of risk against a possible eventuality. In order to do this, information, including the Personal Data of different categories of individuals, needs to be shared between different insurance market participants through the insurance lifecycle.

To clarify the terms used in this Privacy Notice we have set out the roles of the key Insurance Market Participants below:

Policyholders: Request insurance to protect themselves against risks that could affect them. They may approach an Intermediary (such as Marsh) to purchase insurance or they may approach an Insurer directly or via a price comparison website.

Intermediaries: Help Policyholders and Insurers arrange insurance cover. They may offer advice and handle claims. Many insurance and reinsurance policies are obtained through Intermediaries.

Insurers: Sometimes also called underwriters. Provide insurance cover to Policyholders in return for payment (premium).

Reinsurers: Provide insurance cover to another Insurer or Reinsurer. That insurance is known as reinsurance.

During the insurance lifecycle Marsh may receive Personal Data relating to potential or actual Policyholders, Beneficiaries under a policy, their family members, claimants and other parties involved in a claim. Therefore references to “individuals” in this Privacy Notice include any living person from the preceding list, whose Personal Data Marsh receives in connection with the services it provides under its engagements with its clients. This Privacy Notice sets out Marsh’s uses of this Personal Data and the disclosures it makes to other Insurance Market Participants and other third parties.

A glossary of key terms used in this Privacy Notice can be found here.

In certain cases, and for the purposes of performing some services, Marsh and its client may have agreed that Marsh is a processor. When Marsh acts as a processor, it complies with the obligations set out in the agreement concluded with its client.

Personal information that may be processed

We may collect and process the following Personal Data:

Individual details: Name, address (and proof of address), other contact details (e.g., email and telephone details), gender, marital status, family details, date and place of birth, employer, job title and employment history, relationship to the policyholder, insured, beneficiary or claimant.

Identification details: Identification numbers issued by government bodies or agencies (e.g., depending on the country you are in, social security or national insurance number, passport number, ID number, tax identification number, driver’s license number).

Financial information: Payment card number, bank account number and account details, income and other financial information.

Insured risk: Information about the insured risk, which contains Personal Data and may include, only to the extent relevant to the risk being insured:

Policy information: Information about the quotes individuals receive and the policies they obtain.

Credit and anti-fraud data: Credit history and credit score, information about fraud convictions, allegations of crimes and sanctions details received from various anti-fraud and sanctions databases, or regulators or law enforcement agencies.

Previous claims: Information about previous claims, which may include health data, criminal records data, and other Special Categories of Personal Data (as described in the Insured Risk definition above).

Current claims: Information about current claims, which may include health data, criminal records data, and other Special Categories of Personal Data (as described in the Insured Risk definition above).

Marketing data: Whether or not the individual has consented to receive marketing from us and from third parties.

Where we collect such information directly from individuals, we will inform them of whether the information is required and the consequences of not providing it on the relevant form.

Sources of personal data

We collect Personal Data from various sources, including (depending on the country you are in):

Individuals and their family members, online or by telephone, or in written correspondence

Individuals’ employers

In the event of a claim, third parties including the other party to the claim (claimant/ defendant), witnesses, experts (including medical experts), loss adjustors, lawyers and claims handlers

Other insurance market participants, such as Insurers, Reinsurers and other Intermediaries

Anti-fraud databases and other third party databases, including sanctions lists

Government agencies, such as vehicle registration authorities and tax authorities

Claim forms

How we use and disclose your personal data

In this section, we set out the purposes for which we use Personal Data, explain how we share the information, and identify the “legal grounds” on which we rely to process the information.

These “legal grounds” are set out in the General Data Protection Regulation (GDPR), which allows companies to process Personal Data only when the processing is permitted by the specific “legal grounds” set out in the regulation (the full description of each of the grounds can be found here).

Consent

In order to facilitate the provision of insurance cover and administer insurance claims, we rely on the data subject’s consent to process Special Categories of Personal Data and Criminal Records Data, such as medical and criminal convictions records, as set out in the table above and for profiling as set out in the next section. This consent allows us to share the information with other Insurers, Intermediaries and Reinsurers that may need to process the information in order to undertake their role in the insurance market (which in turn allows for the pooling and pricing of risk in a sustainable manner).

The affected individual’s consent to this processing of Special Categories of Personal Data and Criminal Records Data is a necessary condition for Marsh to be able to provide the services the client requests.

Where you are providing us with information about a person other than yourself, you agree to notify them of our use of their Personal Data and to obtain such consent for us.

Individuals may withdraw their consent to such processing at any time. However, doing so may prevent Marsh from continuing to provide the services. In addition, if an individual withdraws consent to an Insurer’s or Reinsurer’s processing of their Special Categories of Personal Data and Criminal Records Data, it may not be possible for the insurance cover to continue.

Profiling and automated decision making

Insurance premiums are calculated by Insurance Market Participants benchmarking clients’ and beneficiaries’ attributes as against other clients’ and beneficiaries’ attributes and propensities for insured events to occur. This benchmarking requires Marsh and other Insurance Market Participants to analyse and compile information received from all insureds, beneficiaries or claimants to model such propensities. Accordingly, we may use Personal Data to both match against the information in the models and to create the models that determine the premium pricing in general and for other insureds. Marsh and other Insurance Market Participants may use Special Categories of Personal Data and Criminal Records Data for such modelling to the extent it is relevant, such as medical history for life insurance or past motor vehicle convictions for motor insurance.

Marsh and other Insurance Market Participants use similar predictive techniques to assess information that clients and individuals provide to understand fraud patterns, the probability of future losses actually occurring in claims scenarios.

We use these models only for the purposes listed in this Privacy Notice. [In most cases,] our staff make decisions based on the models. [In the following cases, decisions are made exclusively based on the models and the benchmarking of Personal Data to the models by automated means:

Automated broking platform

Where clients use an automated broking platform, insurance quotations are offered entirely by matching whether the attributes that the client has provided meet the criteria set by the insurers, which determines (a) whether a quotation will be made; (b) on what terms; and (c) at what price. Each insurer will use different algorithms to determine their pricing, and clients must consult each insurer’s privacy policy for further details. Our platform merely queries whether attributes of potential insureds satisfy insurers’ models and then returns the results. If the potential insured’s attributes do not satisfy insurers’ models, the quotation request is referred for review by a team with underwriting authority. We also apply fraud prediction algorithms to the information clients provide to assist us in detecting and preventing fraud. We regularly review all profiling and associated algorithms against inaccuracies and bias.

These partially automated processes may result in a client not being offered insurance or affect the price or terms of the insurance.

Clients may request that we provide information about the decision-making methodology and ask us to verify that the automated decision has been made correctly. We may reject the request, as permitted by applicable law, including when providing the information would result in a disclosure of a trade secret or would interfere with the prevention or detection of fraud or other crime but generally in these circumstances we will verify that the algorithm and source data are functioning as anticipated without error or bias.

Safeguards

We have in place physical, electronic, and procedural safeguards appropriate to the sensitivity of the information we maintain. These safeguards will vary depending on the sensitivity, format, location, amount, distribution and storage of the Personal Data, and include measures designed to keep Personal Data protected from unauthorized access. If appropriate, the safeguards include the encryption of communications via SSL, encryption of information during storage, firewalls, access controls, separation of duties, and similar security protocols. We restrict access to Personal Data to personnel and third parties that require access to such information for legitimate, relevant business purposes.

Limiting collection and retention of personal information

We collect, use, disclose and otherwise process Personal Data that is necessary for the purposes identified in this Privacy Notice or as permitted by law. If we require Personal Data for a purpose inconsistent with the purposes we identified in this Privacy Notice, we will notify clients of the new purpose and, where required, seek individuals’ consent (or ask other parties to do so on Marsh’s behalf) to process Personal Data for the new purposes.

Our retention periods for Personal Data are based on business needs and legal requirements. We retain Personal Data for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose or as required by law. For example, we may retain certain transaction details and correspondence until the time limit for claims arising from the transaction has expired, or to comply with regulatory requirements regarding the retention of such data. When Personal Data is no longer needed, we either irreversibly anonymise the data (and we may further retain and use the anonymised information) or securely destroy the data.

Cross-border transfer of personal information

Marsh transfers Personal Data to, or permits access to Personal Data from, countries outside the European Economic Area (EEA). These countries’ data protection laws do not always offer the same level of protection for Personal Data as offered in the EEA. We will, in all circumstances, safeguard Personal Data as set out in this Privacy Notice.

Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections as EEA data protection laws. EU data protection laws allow Marsh to freely transfer Personal Data to such countries.

If we transfer Personal Data to other countries outside the EEA, we will establish legal grounds justifying such transfer, such as MMC Binding Corporate Rules, model contractual clauses, individuals’ consent, or other legal grounds permitted by applicable legal requirements.

Individuals can request additional information about the specific safeguards applied to the export of their Personal Data by contacting the Отговорник по съответствието at the address below.

ACCURACY, ACCOUNTABILITY, OPENNESS AND YOUR RIGHTS

We strive to maintain Personal Data that is accurate, complete and current. Individuals should contact us at marsh.bulgaria@marsh.com to update their information.

Under certain conditions, individuals have the right to request Marsh to:

Provide further details on how we use and process their Personal Data;

Provide a copy of the Personal Data we maintain about the individual;

Update any inaccuracies in the Personal Data we hold;

Delete Personal Data that we no longer have a legal ground to process;

Where processing is based on consent, to withdraw the consent;

Object to any processing of Personal Data that Marsh justifies on the “legitimate interests” legal grounds, unless our reasons for undertaking that processing outweigh any prejudice to the individual’s privacy rights; and

Restrict how we process the Personal Data while we consider your inquiry.

These rights are subject to certain exemptions to safeguard the public interest (e.g., the prevention or detection of crime) and our interests (e.g., the maintenance of legal privilege). We will respond to most requests within 30 days.

If we are unable to resolve an inquiry or a complaint, individuals have the right to lodge a complaint with the applicable supervisory authority, the Information Commissioner’s Office.

QUESTIONS, REQUESTS OR COMPLAINTS

To submit questions or requests regarding this Privacy Notice or Marsh’s privacy practices, please write to the Отговорник по съответствието at the following address:

CHANGES TO THIS PRIVACY NOTICE

This Privacy Notice is subject to change at any time. It was last changed on 10.04.18. If we make changes to this Privacy Notice, we will update the date it was last changed. Any changes we make to this Privacy Notice become effective immediately.

A copy of this Privacy Notice (and any significant changes) can be obtained from here. Please note this URL is not available via a general search of the web.

COOKIE SETTINGS

Marsh uses cookies on this site. Cookies are pieces of information shared between your web browser and a website. Use of cookies enables a faster and easier experience for the user. A cookie cannot read data off your computer’s hard drive.

For more information about our cookie policy and the different types of cookies and web beacons we use, please click “Cookie Details” below or read Marsh’s Cookie Policy.

Please consult your web browser’s “Help” documentation or visit aboutcookies.org for more information about how to turn cookies on and off for your browser.

Please select your preferred cookie setting on the right. For your new settings to take effect, this page will automatically refresh when you click “save and close”.

PLEASE SELECT YOUR PREFERRED COOKIE SETTING

Strictly Neccesary

Performant

Functional

THIS COOKIE SETTING WILL

Allow you to move around the website and use its features.

Allow you to access secure areas of the website.

Allow you to move around the website and use its features.

Allow you to access secure areas of the website.

Collect non-personal information about how visitors use the website.

Record and count the number of visitors of certain webpages.

Allow you to move around the website and use its features.

Allow you to access secure areas of the website.

Collect non-personal information about how visitors use the website.

Record and count the number of visitors of certain webpages.

Remember your log-in details.

Remember your personal settings.

CANCEL

COOKIE DETAILS

COOKIE DETAILS

Category

Strictly Necessary

Name

AWSELB

Host

Marsh

Domain

www.marsh.com

Purpose

Performance/Networking

Expiration

30 minutes

Description

This cookie is used by Amazon Web Services for elastic load balancing functionality for routing client request on the server.

COOKIE DETAILS

Category

Strictly Necessary

Name

disableAA

Host

Marsh

Domain

www.marsh.com

Purpose

Usability

Expiration

Based on settings

Description

This cookie is set when “strictly necessary” is selected in the cookie settings.

COOKIE DETAILS

Description

This cookie is set after the preferred cookie setting is selected and determines the cookies that will be installed and deleted.

COOKIE DETAILS

Category

Strictly Necessary

Name

QSI_HistorySession

Host

Marsh

Domain

www.marsh.com

Purpose

Usability

Expiration

After session ends

Description

This cookie stores what pages a visitor has visited for the current session.

COOKIE DETAILS

Category

Strictly Necessary

Name

saml_request_path

Host

Marsh

Domain

www.marsh.com

Purpose

Usability

Expiration

1 day

Description

This cookie stores the page to which the user will be redirected to after logging in at Marsh.com.

COOKIE DETAILS

Category

Performant

Name

_ga

Host

Marsh

Domain

www.marsh.com

Purpose

Analytics

Expiration

2 years

Description

This cookie is used by Google Analytics to register an unique ID that is used to generate statistical data on how the visitor uses Marsh.com.

COOKIE DETAILS

Category

Performant

Name

_gat

Host

Marsh

Domain

www.marsh.com

Purpose

Analytics

Expiration

10 minutes

Description

This cookie is used by Google Analytics to throttle the request rate and limiting the collection of data on high traffic websites.

COOKIE DETAILS

Category

Performant

Name

_sdsat_landing_page

Host

Marsh

Domain

www.marsh.com

Purpose

Analytics

Expiration

After session ends

Description

This cookie stores the landing page name through which the user arrives to Marsh.com and the time index.

COOKIE DETAILS

Category

Performant

Name

_sdsat_traffic_source

Host

Marsh

Domain

www.marsh.com

Purpose

Analytics

Expiration

After session ends

Description

This cookie stores the landing page name through which the user arrives Marsh.com.

COOKIE DETAILS

Category

Performant

Name

NID

Host

Google

Domain

www.google.com

Purpose

Analytics

Expiration

2 years

Description

This cookie is used by Google to measure the traffic, identify which browser is used and what settings are used.

COOKIE DETAILS

Category

Functional

Name

AMCV_###@AdobeOrg

Host

Marsh

Domain

www.marsh.com

Purpose

Usability

Expiration

2 years

Description

This cookie is used by Adobe Marketing Cloud to store a visitor ID that is used across Adobe Marketing Cloud Solutions.

COOKIE DETAILS

Category

Functional

Name

browserAlert

Host

Marsh

Domain

www.marsh.com

Purpose

Usability

Expiration

On page refresh

Description

This cookie is used to disable the unsupported browser message.

COOKIE DETAILS

Category

Functional

Name

consentCookie

Host

Marsh

Domain

www.marsh.com

Purpose

Usability

Expiration

90 days

Description

This cookie is set when the implied cookie consent message is accepted.

COOKIE DETAILS

Category

Functional

Name

marshCountrySite

Host

Marsh

Domain

www.marsh.com

Purpose

Usability

Expiration

1 year

Description

This cookie stores the preferred Marsh.com country and language landing page of the visitor.

The table on the right is a list of the main cookies set by Marsh websites. Please note that we may modify or update our cookies. This list will be updated whenever this occurs.

There are different kinds of cookies with different functions:

Session cookies: These are only stored on your computer during your web session. They are automatically deleted when the browser is closed. They usually store an anonymous session ID allowing you to browse a website without having to log in to each page. They do not collect any information from your computer.

Persistent cookies: A persistent cookie is one stored as a file on your computer, and it remains there when you close your web browser. The cookie can be read by the website that created it when you visit that website again.

First-party cookies: The function of this type of cookie is to retain your preferences for a particular website for the entity that owns that website. They are stored and sent between Marsh’s servers and your computer’s hard drive. They are not used for anything other than for personalization as set by you. These cookies may be either session or persistent cookies.

Third-party cookies: The function of this type of cookie is to retain your interaction with a particular website for an entity that does not own that website. They are stored and sent between the third-party’s server and your computer’s hard drive. These cookies are usually persistent cookies.

Except as described in this cookie notice, we do not use third-party cookies on our sites, although we do use third party provided web beacons. The site may also use web beacons (including web beacons supplied or provided by third parties) alone or in conjunction with cookies to compile information about users’ usage of the site and interaction with e-mails from Marsh. Web beacons are clear electronic images that can recognize certain types of information on your computer, such as cookies, when you viewed a particular site tied to the web beacon, and a description of a site tied to the web beacon. We use web beacons to operate and improve the sites and e-mail communications. We may use information from web beacons in combination with other data we have about our clients to provide you with information about Marsh and our services. We will conduct this review on an anonymous basis.

This site does use Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses cookies to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity, and providing other services relating to website activity and internet usage for Marsh and its affiliates. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

When you visit our sites, Marsh collects your internet protocol (“IP”) addresses to track and aggregate non-personal information. For example, Marsh uses IP addresses to monitor the regions from which users navigate the sites. IP addresses will be stored in such a way so that you cannot be identified from the IP address.

We use cookies for the following purposes:

Strictly necessary: These cookies are essential in order to enable you to move around the site and use its features, such as accessing secure areas of the site. Without these cookies, services you have asked for, such as obtaining a quote or logging into your account, cannot be provided. These cookies do not gather information about you that could be used for marketing or remembering where you have been on the internet.

Performance: These cookies collect information about how visitors use a site, for instance which pages visitors go to most often, and if they get error messages from web pages. They also allow us to record and count the number of visitors to the site, all of which enables us to see how visitors use the site in order to improve the way that our site works. These cookies do not collect information that identifies a person, as all information these cookies collect is anonymous and is used to improve how our site works.

Functionality: These cookies allow our site to remember choices you make (such as your user name, language or the region you are in) and provide enhanced features. For instance, a site may be able to remember your log in details, so that you do not have to repeatedly sign in to your account when using a particular device to access our site. These cookies can also be used to remember changes you have made to text size, font and other parts of web pages that you can customize. They may also be used to provide services you have requested such as viewing a video or commenting on an article. The information these cookies collect is usually anonymized. They do not gather any information about you that could be used for advertising or remember where you have been on the internet.

For information on all of these categories of cookies, and for more information generally on cookies please refer to aboutcookies.org.